Using a Virtual Wire Pair

A virtual wire pair consists of two interfaces that have no IP addressing and are treated similar to a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded out the other interface, provided that a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

Virtual wire pairs are useful for unusual topologies where MAC addresses do not behave normally: for example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

In FortiOS 5.4, virtual wire pairing replaces the port pairing feature available in earlier firmware versions. Unlike port pairing, virtual wire pairing can be used for FortiGates in both NAT/Route and Transparent modes.

In the example configuration below, a virtual wire pair (consisting of port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network will access the web server through the ISFW over the virtual wire pair.

Adding a virtual wire pair and virtual wire pair policy

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.

Go to Network > Interfaces and select Create New > Virtual Wire Pair.

Select the interfaces to add to the virtual wire pair. These interfaces cannot be part of a switch, such as the default lan/internal interface.